Methods and apparatus for detecting fraud with time based computer tags

ABSTRACT

Systems and methods for creating and analyzing computer tag information for the prevention or detection of potential fraud. Computers and other devices accessing the Web carry device tags with date and time information describing when they were issued by a security tag server. A server time stamp may be inserted into time based computer tags such as a cookies indicating when they were created. Such time stamp information can be encrypted and analyzed during future attempts to access a secure network such as a customer attempting to log into an online banking account. When the time stamp information from the tag is compared to other selected information about the user, device and/or account, including but not limited to last account log-in date/time or account creation date, the invention may be used to detect suspicious activity.

FIELD OF INVENTION

The invention relates generally to the field of network security,including the detection and prevention of fraudulent transactions oridentity theft. More particularly, the invention relates to detectingpossible fraudulent transactions online by analyzing time based computertags.

BACKGROUND OF INVENTION

The Internet is a tool for everyday use for everyday types ofapplications. Businesses are increasingly using the Internet as a methodof communicating with customers, vendors, employees and conductingbusiness transactions. Conducting business on the Internet is efficientand cost effective, particularly when services and information can bedistributed electronically. At the same time it also creates added riskof loss and damage by hackers, identity theft, stolen credit cards, andfraudulent activities. One of the most fundamental problems with networksecurity is user authentication—are the people gaining network accessauthentic or who they claim to be.

A number of strategies are commonly employed to make it relatively saferto use the Internet and to facilitate communications and online businesstransactions. Login names and passwords are one of the most widely usedand accepted forms of basic network security. This may be considered afirst or primary authentication factor based on something users know orkeep in their minds. Online access is provided upon entry of an exactuser login/password combination. The identification of valid login namesis often trivial, particularly on systems where they are apparentlyvisible or follow a predictable common login format, such as“firstname_lastname” or “firstinitial_lastname.” It is also difficult tosecure password information given natural human tendencies. End usersoften adopt common or simple passwords, share passwords, write downpasswords, or select passwords that can be readily guessed. User loginand passwords therefore only provide a basic level of security that isnot solely relied upon, particularly for financial networks accessiblevia the Internet such as online banking systems.

A secondary level or factor of authentication may be relied upon foradded security based on something users have in their possession, suchas a special purpose hardware device. For example, after entering avalid user name and password to access a network, the device such as atoken may provide a user with a code as part of the login process. Thecode may be a six digit number that changes at regularly timed intervalsand must usually be entered into a device within a specified amount oftime. The token thus provides a secondary code/password for the user toenter as part of the login process. Alternatively, another hardwaresecurity device referred to sometimes as a “dongle” may be physicallyconnected to a computer interface such as a USB port. This device maysometimes be used to identify end users connecting from a particulardevice. A fixed system component serial number and other hardwaremethods used to uniquely identify specific network devices are also usedto limit access to “known” devices. Unfortunately, these methods areplainly visible to the world and can be copied or simulated. Thesesystems provide more security but are not perfect and can be impracticalin protecting large networks accessible by a large number of users orcustomers. There is usually a high cost of ownership for such addedsecurity measures which are also intrusive and takes away from the userexperience.

Other user authentication solutions are available today involvingservices provided from third parties. For example, the use of digitalcertificates and trusted third party Certificate Authorities (CAs) arean increasingly popular way of ensuring that the party connecting to anetwork is indeed who they claim to be. Unfortunately, digitalcertificates can be copied and stolen. Moreover, significant trust mustbe placed in third party verification groups that do not have a directvested interest in or knowledge of the secured networks that are relyingupon them. The requirement for network users to utilize certificates canalso create a significant burden on users of large networks,particularly for customers of financial or banking institutions.

An Internet Protocol (IP) address and geographical-location servicesrelying upon IP address are also used to verify end-users or to crossreference likely physical location information related to a user. Thesemethods are limited by the fact that many Internet users obtain a newtemporary IP address every time they connect to the Internet instead ofmaintaining a permanent address (dynamic vs. static IP addresses). Theuse of IP addresses to pinpoint the location of a connected device isalso inherently flawed by the nature in which blocks of IP numbers aredistributed and the relative ease of IP spoofing, a technique used bynetwork intruders to make it appear that they are using another deviceor connecting from a trusted or different IP address.

There is a need for an improved network security fraud detection system.It would be desirable to have a solution that is transparent to the userand implemented alternatively as a standalone solution or as part of anintegrated fraud detection and prevention system.

SUMMARY OF INVENTION

The invention provides methods and apparatus for providing networksecurity. Various aspects of the invention described herein may beapplied to any of the particular applications set forth below or for anyother types of networks that is secured and user accessible. Theinvention may be applied as a standalone tool or as part of anintegrated software solution against online fraud and identify theft.Some preferable embodiments of the invention can be optionallyintegrated into existing networks and business processes seamlesslyincluding those used by financial and banking institutions. It shall beunderstood that different aspects of the invention can be appreciatedindividually, collectively or in combination with each other.

The invention provides systems and methods for creating and analyzingcomputer tag information for the prevention or detection of potentialfraud. Computers and other devices that access the Web may carry devicetags in accordance with a preferable embodiment of the invention. Thesedevice tags may include date and time information that describes whenthey were issued by a security tag server. For example, a server timestamp may be inserted into in a computer tag such as a cookie indicatingwhen it was created. In a preferable embodiment of the invention, thecomputer tag may be a time stamped cookie that includes “date ofcreation” or “created” data portions. More preferably, such time stampinformation can be encrypted and not apparent as is most cookie relatedinformation. The computer tags provided herein may be analyzed duringfuture attempts to access a secure network such as a customer attemptingto log into an online banking account. When the time stamp informationfrom the tag is compared to other selected information about theaccount, including but not limited to last account log-in date/time oraccount creation date, the invention may be able to detect suspiciousactivity. For example, recently issued computer tags may be flagged assuspicious for accounts that have not been logged into for a long timeor for online accounts that were created for quite some time.Accordingly, physical devices involved in suspicious or fraudulentactivity, or devices associated with accounts involved in suspiciousactivity can be prevented from connecting to a network.

Another embodiment of the invention provides an advanced fraud detectionand prevention system that can reduce the risk of Internet fraud andidentity theft. The system allows a business to detect a potentialproblem or hacker by spotting a relatively large number or cluster ofrecently issued computer tags over a period of time. This may suggestsuspicious or illegal behavior based on parameters established by onlinemerchants and others conducting business on the Internet including banksand financial institutions. This information can be also used so that abusiness can make educated decisions about how or whether toauthenticate users or customers based at least in part on time stamps,which may be encrypted preferably. The relevant times of when tags andhow many are issued for network devices may be also considered incomparison to the history of accounts or resources to which thosedevices are attempting to access.

In yet another embodiment of the invention, a method is provided fordetecting fraud during a connection of a network device or computer to afinancial institution server. Initially, an application is launched on anetwork device such as a Web browser through which an online session canbegin. The financial server may determine that the network device is aregistered network device having an assigned computer tag with embeddedserver time stamp information. In preferable embodiments the computertag may be a cookie with server time stamp information indicating whenit was created. The computer tag is then forwarded to a fraud detectionsystem within a secure network environment in which the financialinstitution server also resides. The fraud detection system thenanalyzes the creation or issued date of the computer tag from thenetwork device to determine if there is suspected fraud or unauthorizedaccess. This analysis may include decryption procedures when the timestamp information is preferably encrypted. If the server time stampinformation does not suggest fraudulent or improper activity, thenaccess to the financial server is granted to the network device.

Another embodiment of the invention provides a network security andfraud detection/prevention system. The system protect a secure networkwith at least one web server and a network device that connects to theweb server over a communications network such as the Internet. The webserver may include a fraud detection means that analyzes a time stampedcomputer tag stored on the network device. When the network deviceconnects to the web server, information is gathered about the networkdevice tag to determine when it was created by the fraud detectionmeans. The fraud detection means may also include a database and meansfor receiving the time stamped computer tag, storing the tag in thedatabase and associating the tag with user information for possiblefuture use in identifying discernable commonalities or patterns offraudulent behavior.

Other goals and advantages of the invention will be further appreciatedand understood when considered in conjunction with the followingdescription and accompanying drawings. While the following descriptionmay contain specific details describing particular embodiments of theinvention, this should not be construed as limitations to the scope ofthe invention but rather as an exemplification of preferableembodiments. For each aspect of the invention, many variations arepossible as suggested herein that are known to those of ordinary skillin the art. A variety of changes and modifications can be made withinthe scope of the invention without departing from the spirit thereof.

INCORPORATION BY REFERENCE

All publications and patent applications mentioned in this specificationare herein incorporated by reference to the same extent as if eachindividual publication or patent application was specifically andindividually indicated to be incorporated by reference.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages of the invention may be described byreference to the following detailed description that sets forthillustrative embodiments and the accompanying figures.

FIG. 1 is a diagram illustrating a computer-implemented electronictransaction network whereby network devices can access a computernetwork configured with a fraud detection system capable of analyzingtime stamped tags associated with network devices

FIG. 2 is a table of tag information with corresponding time stamps thatmay be analyzed by fraud detection systems provided in accordance withthe invention.

FIG. 3 is a flowchart describing computer tagging and fraud detectionmethods provided in accordance with the invention.

DETAILED DESCRIPTION OF INVENTION

The invention provides systems and methods for fraud detection andprevention. Some of the preferable embodiments of the invention can beapplied to detecting and/or preventing attacks on secure networks foronline businesses such as financial institutions and banks. It will beappreciated however that the invention may be applied to any type oftransaction in which it may be desirable to authenticate a networkdevice or user attempting to access an online accounts or resource overa communications network.

Many aspects of the invention exploit the tendencies of hackers andcyber criminals to remove or modify information that may track orotherwise draw attention to their actions. By monitoring certainactivity or events based on when they occur or occurred, an organizationcan draw associations from account activity from its customers withpotentially fraudulent transactions. Illustrated below are embodimentsof the invention which employ time stamped device or computer tags thatare created by a fraud detection server and reside in the memory of aphysical device. These tags may include information such as server timestamp information which relates to when they were created by the frauddetection server. Some embodiments of the invention may provide addedsecurity by encrypting the server time stamp information in the tag orthe entire tag or cookie so it is less obvious or apparent to would behackers or others. In particular, the computer tags provided inaccordance with the invention may preferably exists as encryptedportions of cookies stored in the memory of devices often sent byservers to Web browsers. It shall be understood that the time stampedcomputer tags herein may be used in combination with any otherinformation, such as a customer ID number or identifier, a phone number,a drivers license number, a social security number, mailing address,ship to address, credit card number, email address, retail purchaselocation, and any other information captured during an online purchaseor transaction, to identify and minimize transaction fraud and identitytheft. Accordingly, the fraud detection systems and methods herein mayutilize a time stamped computer tag alone or in combination with adevice fingerprint or other data that identifies a device in arelatively unique manner.

FIG. 1 is a diagram illustrating a computer-implemented electronictransaction system consisting of one or more network devices 10connectable to a secure network 12. The network 12 may be operated byonline businesses such as a financial institution which offer onlineaccess to customers or other users. A fraud detection system 14 may beincluded as a part of or in communication with the network 12. A frauddetection server 16 and a time stamped computer tag database 22 may beincluded in the fraud detection system for issuing and storing timestamped computer tags in accordance with the invention. In addition, acomputer tag analyzer 20 may be incorporated into the fraud detectionsystem for analyzing information within tags such as server time stampinformation. The fraud detection system may be a standalone tool orfunction as part of an overall secure network operated by the financialinstitution. For example, a financial institution network may beaccessible to network devices over a private network or over acommunications network 18 such as the Internet (World Wide Web) or anyother network that is capable of communicating digital data, including awireless or cellular network. When the fraud detection server 16 isconnected to the communications network 18, the data between networkdevices 10 such as those used by banking customers, and the frauddetection server may be encrypted or travel over a virtual privatenetwork to ensure privacy and security. The network devices 10 mayconnect to a financial institution network as shown over thecommunications network 18 using well known data protocols such as HTTP,HTTPS and the like. A financial institution may provide a bankingservice such as online account access to each network device connectedto it, and it may perform electronic transactions with network devicessuch as authorizing electronic payment or transfer of funds. Suchelectronic transactions are susceptible to fraud and each network devicecan be tagged in accordance with the invention to reduce the risk offraud.

The fraud detection server 16 and computer tag analyzer 20 may receiveand process account information and time stamped computer taginformation from network devices 10 accessing the secure network 12. Atleast some of this information can be analyzed by the tag analyzer 20 todetermine device related or server time stamp information indicatingwhen the tag was issued by fraud detection server 16. These and othercomputer analyzers used in accordance with the invention herein includedevices that analyze given data such as computer tag and cookieinformation. They can examine in detail the contents or structure of thegiven data and can try to find patterns and relationships between partsof the data or other information accessible by the fraud detectionsystem. Such computer analyzers can be pieces of hardware and/orsoftware programs running on one or more computers within the systemsprovided herein. By analyzing the server time stamp information andcomparing it to other known information about the particular account orresource accessible within the network in accordance with an embodimentof the invention, a fraud detection system may detect fraudulentactivities across the electronic transaction network. In particular, thefraud detection servers/systems may also uniquely track physicaldevices, register unique devices, track end-user logins, associate anend-user account with one or more specific devices, associate a devicewith one or more end-user accounts, and consider this information alongwith other computer tag information.

A preferable embodiment of the invention provides downloaded computertags or cookies having encrypted server time stamps indicating when theywere created and delivered to devices. The use of encrypted time stampscan be implemented with any of the embodiments of the inventiondescribed herein. For example, a cookie may be downloaded and stored indevice memory. When viewing the contents of the cookie, which is oftendata in the form of a text file, it is preferable not to make apparentor obvious the existence of the time stamp in order to reduce the riskof cookie tampering. The time stamp information (7/31/2007 7:40 PM) maybe encrypted by the fraud detection system according a selectedencryption key or algorithm as known in the field. The seeminglyirrelevant or indecipherable set of characters (ABC123GH XY45) may haveno meaning other than for purposes of the fraud detection system. Whenthe network device attempts to access an account within the securenetwork, the time stamped cookie is delivered to the fraud detectionsystem for analysis in accordance with the invention (see FIG. 1). Thetime stamp information may be decrypted by the fraud detection systemand reviewed to determine when it was issued by the fraud detectionserver/system. With this time stamp information, the fraud detectionanalyzer and system may perform fraud prevention and detection functionsin accordance with other aspects of the invention described herein.

For certain applications of the invention, a network device may requestaccess to a electronic transaction network and a particular account foran online business such as e-Bay, Amazon.com, Bank of America, or othere-commerce company. To gain access to the account, complete atransaction, or access a particular part of the network, a usertypically completes a log in and authentication procedure through thenetwork device. When the network device has been previously tagged inaccordance with the invention, the tag information along with its servertime stamp information can be passed onto the fraud detection server andsystem for analysis. Preferably, at least the server time stampinformation in the computer tag is encrypted by the fraud detectionserver so it is not obvious and readily manipulated. The encrypted timestamp information can be decrypted by the fraud detection serveraccording to whatever encryption algorithms or methods are selected byand known only to or controlled by the online business or financialinstitution. Moreover, the computer tag may exist in the form of acookie (a HTTP cookie, a Web cookie) stored in the memory of the devicealong with other information commonly used to facilitate the exchange ofinformation between a browser and web server. Encrypted time stampinformation may be included with the other data usually found in thecookie text files such as an expiration date, a path, and domain name.When the network devices have not been tagged previously, they may beassigned a new computer tag by the fraud detection system in accordancewith another embodiment the invention with a time stamp having a currentissue date or time. A computer tag may be downloaded to a device fromthe fraud detection system to perform its “tagging.” The system maysubsequently request and determine if the device already has a timestamped computer tag from the server or will request a new time stampedcomputer tag if none exists for the network devicee.

Network Devices

Network devices described herein may be a variety of communicationdevices including but not limited to a personal computer, servercomputer, laptop computer, personal digital assistant (PDA) such as aPalm-based device or Windows CE device, a cellular phone, a wirelessdevice such as a wireless email device or other device capable ofcommunicating wirelessly with a computer network or any other computingresource that has the processor, memory and input/output capabilities tobe able to communicate with a computer network and handle electronictransactions. The network device may also be a telephone, for example,to order items from a mail order catalog. For many applications of theinvention, the network device is a personal computer with a display suchas cathode ray tube or liquid crystal display (LCD) for displayinginformation and images to the user of the network device. One or moreinput/output devices such as keyboards and a mouse permit the user tooperate the network device and to permit it to access the Web. Thedevice can be connected to a communications network via a networkinterface card, cable modem, a DSL modem, wireless modem, telephone linemodem and other hardware. The network device may further comprise one ormore processors, memory storage devices, including an optical tape driveor optical drive, a hard disk drive, or flash memory, so the devicememory can store data even when the computer system is powered down.Also other a memory such as SRAM, DRAM, or SDRAM may be included totemporarily store data being executed by the processor.

Secure Networks

The secure networks accessed by network devices herein may be acombination of one or more Web-based server computer(s), such as webservers, an application server, a database server, etc., that arecapable of communicating with network devices over a communicationsnetwork, such as the Internet or a wireless network and is capable ofdownloading web pages or a software application to the network device.The secure network may comprise one or more processors, one or morepersistent storage devices and memory. For the secure network tointeract with the network devices, the network memory may store (and theprocessor(s) may run) a server operating system and a transactionprocessing software system to facilitate electronic transactions betweenthe secure network and network devices.

In another preferable embodiment of the invention, a computer tag systemmay include server computers within a secure network that can alsoaccess databases with related user account history and log-ininformation. A computer tag may be created, delivered and stored on aclient computer preferably as a small block of data or (persistent)cookie that facilitates exchanges with the secure network. The computertag includes server time stamp information, preferably encrypted by thecomputer tag system before delivery to the client. In addition, thecomputer tag may be stored within a computer memory residing on theclient computer that is analyzed when connected to the secure network.Furthermore, the computer tag can be delivered to the client computerthrough conventional methods and imbedded within a common softwareproduct like a web browser, or even imbedded in hardware or memory, anyof which would be accessible when a connection to the network isestablished. A computer tag can also be delivered on demand, through aJavaScript, ActiveX control, or similar technology as a user connects toa secure network through a web browser. Other user related informationthat is accessible to the secure network can be considered together withtime stamped computer tag or cookie information provided herein.

Browsers and Cookies

When network devices are communicating with secure networks as describedherein, they may run browser software or similar applications. Browsersmay be configured to store into a computer memory time stamped computertags provided in accordance with the invention. The computer tags hereinmay constitute an entire cookie or included as part of a cookie commonlyused with Web browsers. In general, a cookie contains data or messagesthat facilitate online sessions between network device and (Web) serversor sites over the Internet. For example, a graphical user interface fora personal computer may permit the user to execute a browser applicationprogram such as Mozilla Firefox, Netscape Navigator and MicrosoftInternet Explorer. The browser options may be selected to enable orallow the download of cookies or computer tags with server time stampinformation from fraud detection systems described herein. Theinformation or data within cookies can be modified in accordance in apreferable embodiment of the invention with time stamp information whilestill allowing them to fulfill their common purpose of identifying usersand preparing customized or personalized web pages. One of the benefitsof provided by this aspect of the invention is the ability to exploit arelatively small amount of data in a manner that can largely escape theattention of a hacker. Server time stamp information is a piece ofinformation that can be used as a marker for fraudulent activity whenpieced together with other account information as described herein. Whenencrypted/decrypted, this information may become even less noticeable orof concern to hackers yet exploited and recognized in particular byfraud detection systems herein.

During online sessions between user devices and a Web site, cookies canbe sent back to servers when logging on or when pages are requested.When a user enters a Web site that uses cookies, certain informationabout that person such as name and preferences can be requested andretained. This information can be packaged into a cookie along withserver time/date (time stamp) information according to a server computerclock that will be sent back to the Web browser and stored for futureuse. Persistent or permanent cookies are preferably selected herein andstored in a device memory (hard drive) between sessions and logins untilit expires at a certain expiration date or is deleted. The next time theuser logs on or requests a page or information from the Web site, thebrowser can send the previously issued cookie along with its packageinformation and time stamp information in accordance with the invention.While the web server can use the cookie information to presentcustomized web pages for the user, a fraud detection system within asite network can also detect the possibility of fraud in accordance withthe invention. The time stamp information can be analyzed by the frauddetection system provided herein to determine if the cookie was recentlyissued. For many authorized users who would not ordinarily deletecomputer cookies or tags, such time stamp information would not beparticularly recent (e.g., weeks, months old). Meanwhile, fraudsters orhackers will often delete cookies from their computers before attackingweb servers and computer systems. In some instances, recently issuedcookies may be only a few minutes or hours old in comparison to days orweeks. So hacker accesses to web servers will usually result in havingeither no cookies, in which case they can be immediately issued new timestamped cookies as described herein, or recently issued cookies asdetermined by a fraud detection system or methods herein. The frauddetection system can consider the frequency and number of recentlyissued cookies in combination with other patterns or parameters reliedupon in detecting potential fraud as designated or relied upon by theonline business.

Cookie Building and Storage

The fraud detection server may initiate the storage of a time stampedcookie on a user computer system in a variety of ways. For example, tobuild and store the cookie, the fraud detection server may generate anidentifier to a cookie builder which may correspond to a particular useror not (random or arbitrary). The cookie builder may include the useridentifier into the cookie and may add other status information to thecookie, plus a server time stamp. The identifier and the otherinformation may be processed by a cookie signer optionally, which signsthe cookie using conventional cryptographic techniques, such as byhashing the identifier, and optionally the other information, using asecret hash key to produce a hash result referred to herein as thecookie signature. The cookie signer may provide the cookie signature,identifier and time stamp information (collectively referred to as thecookie) to a cookie encryptor, which preferably encrypts the cookieusing conventional encryption techniques, such as using the public keyof a public key/private key pair or using a symmetric key. The cookieencryptor may then direct the cookie to a user browser for storage ofthe encrypted cookie in cookie storage location on the user computer ordevice via various communication and network interfaces, and optionallyover an SSL connection.

It shall be understood that the storage of the cookies provided hereinmay be accomplished in conventional memory or disk storage and may be aportion (cookie folder) thereof used for the storage of cookies.Alternatively, the memory may be another part of the user computersystem or may reside in a removable device such as a smart card, USBmemory token a portable memory device that interfaces to a personalcomputer through a USB port, such as the USB Memory Key or the like.Although a cookie is selected in this described embodiment, other typesof encrypted data or files, certificates or other similar datastructures may be used in accordance with the concepts of the invention.

Cookie Analysis

A user may request a page from a Web site through a browser during asession with an online business such as a bank or financial institution.The browser may send a request to a server within a secure network viacommunication interfaces and network. The communication interfaces canpass the request to a Web application running within the secure network,which can be conventional application programs modified for variousapplications such as online banking. The Web application mayauthenticate the user and facilitate various kinds of transactions.

During user authentication or any other time during a session, the frauddetection systems herein may read the encrypted cookie provided by thebrowser from a cookie storage area. The encrypted cookie may be passedto a fraud detection server and cookie analyzer (see FIG. 1), which canbe configured with a cookie decryptor to decrypt the encrypted cookie,and then separate or consider the time stamp information aside from theremainder of the cookie for analysis such as determining how old is thecookie or when it was created.

Additional Fraud Analysis

In another embodiment of the invention, a secure network administratoror fraud analyst can actively screen information for various accounts.These accounts may be identified by the fraud detection system accordingto time stamped computer tags sharing the same or substantially the samecreation date/time. Suspicious accounts may be identified for furtherinvestigation by fraud analysts. For example, a number of accounts withstated addresses may be logged in from the same network device with allnewly created computer tags—this may be flagged or identified assuspicious. The fraud detection and preventing systems herein may alsoautomatically or manually generate information related to collected timestamped computer tag information to identify spikes or large numbers ofcomputer tags issued or created with a particular server creationdate/time.

Furthermore, the invention takes into consideration that many attackersor hackers are likely to access relatively large numbers of differentaccounts within a particular network and within a particular time frame.Large or massive scale hacking may be performed quickly with automatedcomputers and programs. By comparing accesses to multiple accounts by adevice bearing the same or near same computer tag and recent time stampinformation, it may be possible to detect patterns of unauthorizedaccess. It shall be understood that the invention may be applied withother systems and methods which authenticate or uniquely identifydevices according to a device fingerprint or identifier including butnot limited to those described in U.S. patent application Ser. No.11/241,739 filed on Sep. 29, 2005, US 2006/0048211 (Pierson et al.) andU.S. Pat. No. 7,100,049 (Gasparini et al.) which are incorporated byreference in their entirety herein.

Additional information about users may be maintained and also used forfurther fraud analysis by the systems and methods herein such as lastsuccessful login date and time, last unsuccessful login date and time,total successful logins, total unsuccessful logins, etc.

FIG. 2 is a computer tag information table listing corresponding timestamps for a set of exemplary tags. Various tag and time stamp tablesprovided in accordance with this aspect of the invention can be storedin databases and analyzed by fraud detection systems provided herein(see FIG. 1). A tag number (TAG #1) can be any arrangement of numbersand/or characters that are issued by a fraud detection server fordevices previously without tags. The time stamp information can be setto a selected computer clock, preferably to a server computer clock forone or more of the fraud detection servers within a fraud detectionsystem. Any format indicating time can be applied to the invention thatincludes date and/or time information. For example, when time stampsinclude date information, the month/day/year (7/12/2007) format can beused as illustrated or other formats can be used (7/12/2007, 12/7/07,July 12, 2007). Time stamps provided here can also include hour andminute information in various formats too (4:25 pm, 4:25:55, 16:25 pmPDT). It shall be understood that the various kinds of time stampinformation described herein can be stored, modified andencrypted/decrypted as known by those skilled in the art.

A preferable embodiment of the invention provides a fraud detectionsystem that can monitor suspected fraudulent activity by utilizing oneor more time stamp databases stored in a computer readable memory. Afraud detection server can access and update a time stamp database withinformation obtained from computer tags retrieved from devices trying toaccess a secure network (see FIG. 1). The time stamped computer tags ondevices may be analyzed by the fraud detection system to indicate whenit was generated and if it was recently issued. Based on the time stampinformation retrieved from the network device, by itself or incombination with other available information from an online business,the likelihood of fraud being committed by the particular end-user withthe network device is determined so that appropriate action may betaken. For example, when a (threshold) number of accounts are accessedwithin a predetermined period of time all having recently issuedcomputer tags within a particular period of time (e.g., 1 hour), some orall of these accounts may be flagged for potential fraud and furtherinvestigation. In other instances where there may be suspected fraud, arecently issued tag may be received from a device trying to access anaccount that had not been logged into for a long time. Unless expired orintentionally deleted by a user for a valid purpose, computer tags orcookies are not deleted or disabled from a device in order to permitinteraction with most Internet Web sites and servers. Other conditionsor possible indicators of unauthorized access include a device trying toaccess a relatively older account that was created long time ago. It hasbeen observed that many attackers or hackers are likely to removecomputer tags such as cookies stored on their computer or device beforeattempting to access numerous accounts within a secure network. Bydeleting the cookie or computer tag and/or by accessing a relativelylarge number of accounts to an online business or financial institution,a significant number of new computer tags may be generated and flaggedfor possible fraud in accordance with the invention.

In an alternative embodiment of the invention, a network device may beinitially granted access to the network and an online account to performan electronic transaction. If fraudulent activity occurs during thiselectronic transaction, the time stamp information associated with thenetwork device may be also stored in a database within the frauddetection system for possibly detecting other instances of fraud withnetwork devices having similarly dated computer tags. In this manner,the online business can utilize such fraud information selectively sothat a fraud committed in one account is logged into and tracked by thefraud detection system. Accordingly, a user or network device that hascommitted fraudulent activities may be tracked even when the networkdevice is used to log into a different account.

Furthermore, the fraud detection server/system and computer tag systemsherein may comprise administrative components including a web adminmodule or a reports module. The web admin module may permitadministrator level management of the secure network to perform variousfunctions such as to tuning or setting its fraud tolerance levels,inspecting and changing individual customers fraud status, and checkingrelationships and activity of customers to one another. For example, afinancial institution may be able to detect an influx or sudden spike ofnewly created computer tags associated for the accounts for its onlinecustomers within a particular period of time. A reports module may alsohelp a business keep apprised of existing accounts suspected of fraud aswell as their historical information.

Fraud Detection Servers and Modules

The fraud detection servers herein may be a stand-alone computingdevice, such as a server computer, although its functions may bedistributed among various devices as described above. The fraud servermay include one or more processors and persistent storage devices andmemory as described above. The fraud server may further include adatabase server/manager that stores the time stamped computer tag inaccordance with the invention. A fraud detection server memory may storea server operating system, an a variety of software modules including anadministrator software module, a fraud detector software module, areports software module and a tagger software module wherein each modulecomprises a plurality of instructions (and associated data) that areexecuted by the processor to implement the fraud detection andpreventing system and methods herein.

The administrator module, in a preferable embodiment, may generateadministrator web pages that determine how a user can interact with thesystem and configuring the system. For example, the administrator webpages may permit modification of how the fraud detection server andanalyzers process time stamped computer tag information herein.

The reports software module can provides reports with information fromthe fraud detection and prevention system and its databases. Forexample, the system may generate a report showing the daily changereport such as a fraud report listing the network devices that possessedsimilar computer tags or cookies created at or around the samedate/time, their status, or a shared computer report listing all of thenetwork devices that have multiple computer tags or cookies associatedwith them.

The fraud detector software module may contain the instructions andlogic to process analyzed data relating to the network devices andusers. This program may determine relationships and possiblecorrelations between network devices and the time stamped computer tagsprovided herein.

Another aspect of the invention provides protocols and methods fordetecting possible fraud by analyzing time stamped computer tags. Asillustrated in FIG. 3, computer tagging and fraud detection methods areprovided herein. For example, when a user attempts to log on to a Website server, the fraud detection system/analyzer may be alerted to checkor analyze a time stamped computer tag retrieved from the user device.If the device does not have one already, then a new time stampedcomputer tag can be generated by the fraud detection server as describedherein. New devices can be tagged herein by a variety of methodsincluding the downloading of time stamped cookies containing encryptedcreation time/date information stored in device memory. If the devicealready has a time stamped computer tag, it can be analyzed so that timestamp information can be retrieved. A decryption step may be performedby a computer tag analyzer when time stamp information is encryptedaccording to methods selected ahead of time by the fraud detectionsystem.

Other embodiments of the invention described below provide alternativemethods of tagging network devices in accordance with the invention.Such methods can determine how old is a computer tag or when it wascreated according to a server time stamp. This may be performed everytime a device connects to a secure network, and may also be performed atvarious points and intervals throughout an online session periodically.When a network device attempts to connect to a network for the veryfirst time, these methods ensure that the device is tagged with computertag such as a downloaded cookie containing a creation date/time. Inpreferable embodiments, these methods can unobtrusively store encryptedtags or at least the time stamped portions thereof. This aspect of theinvention includes other methods of utilizing the features andfunctionality provided by the fraud detection and prevention systemsdescribed above.

It should be understood from the foregoing that, while particularimplementations have been illustrated and described, variousmodifications can be made thereto and are contemplated herein. It isalso not intended that the invention be limited by the specific examplesprovided within the specification. While the invention has beendescribed with reference to the aforementioned specification, thedescriptions and illustrations of the preferable embodiments herein arenot meant to be construed in a limiting sense. Furthermore, it shall beunderstood that all aspects of the invention are not limited to thespecific depictions, configurations or relative proportions set forthherein which depend upon a variety of conditions and variables. Variousmodifications in form and detail of the embodiments of the inventionwill be apparent to a person skilled in the art. It is thereforecontemplated that the invention shall also cover any such modifications,variations and equivalents.

What is claimed is:
 1. A network security system for a financialinstitution comprising: one or more financial institution web servers,wherein the one or more financial institution web servers create timestamped computer tags; one or more customer network devices running abrowser and receiving the time stamped computer tags from the financialinstitution web server, wherein the browser stores into a computermemory the time stamped computer tags; a computer network having thefinancial institution web server accessible by the customer networkdevices; a user account associated with the financial institution webserver and accessed by a customer network device via the browser,wherein the financial institution web server includes a time stampedcomputer tag received from the customer network device over acommunications network and associated with the user account; and a frauddetection system analyzing the time stamped computer tags received fromthe network devices to determine when they were created as part of afraud risk analysis associated with user accounts, the fraud detectionsystem providing an indication of fraud when an amount of time betweenissuance of the time stamped computer tag and analysis of the timestamped computer tag by the fraud detection system is less than athreshold value for a threshold number of accounts accessed within apredetermined period of time.
 2. The system as recited in claim 1,wherein the fraud detection system further comprises a computer tagdatabase having a plurality of records, wherein each record furthercomprises at least one of the following: a computer tag identifierfield, a time stamp field, and a user account information fieldcontaining information related to a particular user or a network device.3. The system of claim 1, wherein the computer tags are embedded incookies downloadable to the network devices.
 4. The system of claim 1,wherein the computer tags are pieces of data that are automaticallydownloadable to network devices.
 5. The system of claim 4, wherein thepieces of data are encrypted.
 6. The system of claim 1, wherein thecustomer network devices include at least one of the following: acellular phone, a personal digital assistant, a laptop computer, apersonal computer and a telephone.
 7. The system of claim 1 wherein thebrowser comprises one or more options that are selectable to enable thedownload of computer tags with server time stamp information.
 8. Thesystem of claim 1 wherein the time stamped computer tags are persistentand stored in network devices' memory between sessions and logins untilthey expire at an expiration date or are deleted.
 9. The system of claim1 wherein the fraud detection system determines that time stampedcomputer tags are recently issued when an amount of time between therecently issued time stamped computer tags and analysis of the timestamped computer tags by the fraud detection system is less than athreshold value, and provides the indication of fraud when a number ofrecently issued time stamped computer tags exceeds a threshold number.10. The system of claim 1 wherein the time stamped computer tags havecorresponding server time stamps.
 11. The system of claim 10 wherein theserver time stamps are set to a server computer clock.
 12. The system ofclaim 11 wherein the server time stamps have varying formats.